Skip to main content

Release notes: SecureAuth CIAM 2.25.0

Summary of new features and changes in SecureAuth CIAM platform (formerly known as Cloudentity) version 2.25.0.

For platform component version details, see SecureAuth platform dependencies version reference.

Release Date: May 31, 2025

Major additions and changes

AUT-12309
Introduced a new advanced server configuration that enables a single audience check in assertion JWTs for private_key_jwt and client_secret_basic authentication methods. This helps mitigate the Audience.Injection vulnerability.

See: https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis.

This flag is enabled by default for new workspaces, except for CDR.

Minor enhancements

AUT-11795
Added support for Okta V2 OIDC-based IDP.

AUT-11992
Introduced a system API to manage secrets. Updated system APIs to avoid returning encrypted values.

AUT-12028
Improved 2FA and Recovery Verification Code views on the login page:

  • Users can select from multiple addresses in the "Use Alternative" view

  • On invalid code entry, users can re-enter the code without returning to the initial OTP view

  • Masked addresses where codes are sent

  • "Use Alternative" is hidden if no other address available

  • Users are notified if the code was not sent and no usable addresses exist

AUT-12073
Deprecated self-user Identity APIs:

  • /self/me (GET, POST)

  • /self/change-password Use /v2 versions of those endpoints

Also:

  • Restricted access to the self-user Complete Address Verification Identity API (Hidden behind feature flag. Disabled for new tenants.)

  • Restricted access to the public Confirm Reset Password Identity API (Hidden behind feature flag. Disabled for new tenants.)

AUT-12086
Removed enforce_system_admin_workspace_access feature flag.

AUT-12098, AUT-12099, AUT-12100, AUT-12101, AUT-12149, AUT-12155
Added new IDP connectors with use_embedded flag, available behind the common_idps feature flag:

  • Apple

  • Facebook (Meta)

  • Google Workspace

  • LinkedIn

  • Microsoft (personal accounts only)

  • X (Twitter)

AUT-12171
Enhanced Google Workspace IDP with group retrieval support. Requirements:

  • Service account with admin.directory.groups.readonly scope

  • Admin email address for impersonation

AUT-12186
Added client secret support in X (Twitter) IDP.

AUT-12193
Added generic-purpose OAuth2 IDP.

AUT-12244
Introduced a new server pre-login policy execution point.

Bug fixes

AUT-11937
Introduced a new version of /password/verify that returns HTTP 200 on incorrect password and provides detailed verification results. Deprecated the previous Identity System API /password/verify.

AUT-12087
Prevented errors during JIT lookup when the correlation identifier is empty.

AUT-12102
Now publishes a "create tenant" event when importing new tenants.

AUT-12200
Generated new script IDs when an organization is created from a template. Updated script execution points accordingly. Available behind the clone_workspace_scripts_fix feature flag.